Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label regulatory measures. Show all posts

Proposed US Bill Mandates MFA and Cybersecurity Standards for Healthcare

 

A bipartisan group of US senators has introduced new legislation aimed at strengthening cybersecurity in American hospitals and healthcare organizations. The Health Care Cybersecurity and Resiliency Act of 2024 seeks to mandate the adoption of multi-factor authentication (MFA) and establish minimum cybersecurity standards to protect sensitive health information and ensure system resilience against cyberattacks. 

The proposed law, unveiled by Senators Bill Cassidy (R-Louisiana), Mark Warner (D-Virginia), John Cornyn (R-Texas), and Maggie Hassan (D-New Hampshire), aims to improve coordination between the Department of Health and Human Services (HHS) and the Cybersecurity and Infrastructure Security Agency (CISA). Under this legislation, HHS would have a year to develop a comprehensive cybersecurity incident response plan and update the breach reporting portal with additional transparency requirements. 

Currently, healthcare entities classified as “covered entities” under HIPAA are obligated to report breaches to HHS. The new legislation expands these requirements, compelling organizations to disclose the number of individuals affected by a breach, corrective actions taken, and recognized security practices considered during investigations. The HHS secretary would have discretion to add further information to the portal as needed. In addition to enforcing MFA and encrypting protected health information, the bill outlines broader cybersecurity mandates. Covered entities and their business associates would need to adopt minimum standards defined by HHS, conduct regular audits, and perform penetration testing to validate their security measures. 

Senator Cassidy, a medical doctor and ranking member of the Senate Health, Education, Labor, and Pensions (HELP) Committee, underscored the urgency of this legislation. “Cyberattacks on our healthcare sector not only put patients’ sensitive health data at risk but can delay life-saving care,” Cassidy emphasized. The devastating impact of cyberattacks on healthcare was exemplified earlier this year when a ransomware gang targeted Change Healthcare, compromising sensitive health data from approximately 100 million individuals. 

The attack disrupted healthcare services nationwide and cost the UnitedHealth-owned company over $2 billion in remediation efforts, taking nine months to restore its operations. This high-profile incident spurred additional legislative action. Senators Warner and Ron Wyden (D-Oregon) proposed another bill earlier this year to establish mandatory minimum cybersecurity standards for healthcare providers and related organizations. 

 If enacted, the Health Care Cybersecurity and Resiliency Act would mark a significant step in fortifying the healthcare sector’s defenses against cyber threats, ensuring the security of patient data and the continuity of critical healthcare services.

Concerns Over Starlink in India: Potential Risks to National Security


As Starlink, Elon Musk’s satellite internet service, prepares to enter India’s broadband market, think tank Kutniti Foundation has raised significant concerns about its potential risks to India’s national security. A report cited by PTI claims Starlink’s close ties with U.S. intelligence and military agencies could make it a threat to India’s interests. The foundation described Starlink as “a wolf in sheep’s clothing,” alleging that its dual-use technology serves American governmental agendas. Unlike traditional telecom networks operating under Indian jurisdiction, Starlink’s global satellite system bypasses local control, granting operational authority to U.S.-based entities. 

Kutniti suggests this could allow for activities such as surveillance or other strategic operations without oversight from India. The report also highlights that Starlink’s key clients include U.S. intelligence and military organizations, positioning it within what the foundation calls the U.S. “intel-military-industrial complex.” India’s Communications Minister Jyotiraditya Scindia recently addressed these concerns, stating that Starlink must meet all regulatory and security requirements before its services can be approved. He confirmed that the government will only consider granting a license once the platform fully complies with the country’s safety standards for satellite broadband.  

Kutniti’s report also examines the broader implications of Starlink’s operations, emphasizing how its ownership and infrastructure could support U.S. strategic objectives. The foundation referenced U.S. laws that prioritize national interests in partnerships with private enterprises, suggesting this could undermine the sovereignty of nations relying on Starlink’s technology. The think tank further criticized the role of Musk’s ventures in geopolitical scenarios, pointing to Starlink’s refusal to assist a Ukrainian military operation against Russia as an example of its influence. 

Additionally, Kutniti noted Musk’s association with Palantir Technologies, a firm known for intelligence collaborations, as evidence of the platform’s involvement in sensitive political matters. Highlighting incidents in countries like Brazil, Ukraine, and Iran, Kutniti argued that Starlink’s operations have, at times, bypassed local governance and democratic norms. The report warns that the satellite network could serve as a tool for U.S. geopolitical leverage, further cementing American dominance in space and global communications. 

India’s careful consideration of Starlink reflects a broader need to balance the benefits of cutting-edge technology with national security concerns. Kutniti’s findings underscore the risks of integrating foreign-controlled networks, especially those with potential geopolitical implications, in an increasingly complex global landscape.

Rising Healthcare Cyberattacks: White House Contemplates Response

 

Amidst a continuous stream of cyberattacks targeting the healthcare sector, leading to disruptions in hospitals and patient care, the Biden administration is taking a measured approach in formulating regulations to bolster the industry's cybersecurity defenses.

Andrea Palm, Deputy Secretary of Health and Human Services, stated that they are thoroughly exploring various options to ensure a comprehensive advancement of this agenda. The department oversees several critical aspects of healthcare cybersecurity, including incident preparedness, certification of health IT vendors, and compliance with data security and privacy regulations.

Health and Human Services has multiple potential avenues to regulate cybersecurity within its purview, making it distinct among federal agencies. It remains uncertain if internal disagreements on the right approach or the need for additional resources are delaying the development of healthcare cyber regulations.

During a recent cybersecurity roundtable with industry leaders, representatives from hospital associations and cybersecurity groups discussed concerns and ways for the government to address security gaps that have fueled ransomware attacks. One prevalent concern was the vulnerability of rural hospitals, underscoring how their cybersecurity shortcomings pose a risk to the entire industry.

Many rural hospitals lack specialized IT or cybersecurity staff, and even when present, executives may not be equipped to ask the right questions. To assist these facilities, suggestions included launching regional training programs or "boot camps" for rural hospital leaders.

Mark Jarrett of Northwell Health emphasized the importance of integrating cybersecurity discussions into patient care dialogues, suggesting that it should become a routine part of safety rounds in hospitals. Additionally, Mari Savickis urged the federal Centers for Medicare & Medicaid Services to incorporate cybersecurity into billing discussions with doctors.

Health and Human Services has collaborated with the Cybersecurity and Infrastructure Security Agency (CISA) to address cybersecurity concerns in the healthcare sector. CISA has identified hospitals as one of three priority communities with highly vulnerable targets. Nitin Natarajan, CISA's Deputy Director, emphasized the significance of cybersecurity in safeguarding patient safety.

However, a major challenge remains: how to make cybersecurity upgrades viable for the numerous small, under-funded medical providers across the U.S. One proposed solution is for larger hospital systems to directly offer cybersecurity services to smaller institutions in their regions, possibly with the aid of federal grants. This approach is being discussed, but no specific endorsement has been made yet.

Natarajan stressed that the industry should not solely rely on federal funding for this substantial undertaking, emphasizing the need for a collaborative effort to mitigate cybersecurity risks effectively.